Hey all,
I had a little free time and was rooting through my iPhone's folders with WinSCP and I came across a fun little plist.

With said plist and a little hackery, the following can be achieved:

A fake, albeit convincing, restore image:

Fooling iTunes:

Real iPhone Snapshots:

I promise you, none of the above have been doctored in any way other than to remove sensitive information.
This is extremely easy to do:

1. Making the fake firmware file:
All you need to do is take any large file and zip it, then name the zip file to "ipsw." For my screenshot I took the 1.1.1 ipsw, renamed it to zip, unzipped it, then rezipped the new file with a lower compression in order to obtain a larger file size, and finally renamed it.

2. Modifying the plist on your iPhone:
SSH into your iPhone and navigate to "/System/Library/CoreServices"
In this folder, there's a file called "SystemVersion.plist" which is what we edit. That plist looks something like this:

The two bold values are what you need to edit. Apple iPhone firmware numbers typically follow this sort of format: #X###x ("#" being a number and "X" and "x" being upper- and lower-case letters). For example, 3A109a is 1.1.1's build number.

3. Taking fake screenshots and distributing them:
Reboot your iPhone and plug it into iTunes, which will see it as whatever firmware you set it as. Now you can take screenshots of iTunes, of your fake ipsw, and of your iPhone using the snap utility by Erica Sadun. Now all you have to do is send a few emails, and you're world famous for having cracked Apple's databases, stolen partially-developed firmware, and jailbreaking it And when everyone starts yelling that you Photoshopped the images, you can honestly say that they're completely real.

Have fun
I'll go back to working on iDemocracy now

-- Drakenza

Disclaimer:
Don't really try to get famous by faking screenshots of a new firmware. This tutorial is just for fun... If you get sued by Apple or hated by the MMi community or whatever, you can't hold me responsible.

@King Chronic: No, but interestingly enough I've been trying with doctored firmware images. I hit a hard stop at one "error 6". I'm thinking iTunes obviously checksums or looks for a signature or something which gets blown away due to de-/re-compressing the ipsw file. One approach would be to just disassemble iTunes and patch the checker but I'm thinking that's illegal

@King Chronic: No, but interestingly enough I've been trying with doctored firmware images. I hit a hard stop at one "error 6". I'm thinking iTunes obviously checksums or looks for a signature or something which gets blown away due to de-/re-compressing the ipsw file. One approach would be to just disassemble iTunes and patch the checker but I'm thinking that's illegal

True, but who would know you patched it?

Perhaps Apple compressed it in a certain way that it is readable by Stuffit/WinRAR (Whether you are on Mac/Win respectively), but also in a way that cannot be reproduced by the above programs

Perhaps Apple compressed it in a certain way that it is readable by Stuffit/WinRAR (Whether you are on Mac/Win respectively), but also in a way that cannot be reproduced by the above programs

If Apple wrote their own compression algorithm I doubt they would make it readable by anything other than iTunes. The fact that WinZip, WinRAR, Stuffit, and all the various other programs can extract ipsw files indicates that they're standard ZIPs. However, the degree of compression is not known.
I'm going to try to get the MD5 hash of a clean IPSW, unzip it, rezip it on various compressions, and compare hashes.
It's also very possible that iTunes doesn't care at all about the MD5 and rather, during that extraction phase, it goes through the file list and looks for non-Apple files.

I was looking around in the dev wiki today and appearently people have been trying to do this, but the only problem is, iTunes doesn't like the fact that the modded DMG wasn't re-encrypted. It looks like it sort of came to a halt at that point...

Yah, while this is just a fun joke, being able to distribute (non-officially, of course ) pre-modded firmwares would be a fun, although dangerous (imagine the n00bs trying and getting jacked up stuff on folks phones) hack. Reminiscent of the PSP modding scene.

Pre-modded firmwares would not only be fun, they'd be ridiculously useful Imagine if you could just download a file, restore it with iTunes, and that's it. You're jailbroken, ready for unlocking, ringtones, whatever.
If we could use the same protocols to restore the image automatically as well, that would be the ultimate one-click solution. I suppose if someone really has the time and the experience they could reverse-engineer iTunes' algorithm... but I doubt anyone is really that good at ASM...